Attachment: Romance scam with image lure and advance-fee or suspicious link indicators

Detects inbound messages that are not replies, forwards, or mailing list communications, and contain image attachments (JPG or PNG) alongside body text classified as romantic or sexually explicit in nature. The messages either include links to known redirector or free hosting domains (such as geno.link or sites.google.com), or exhibit advance-fee fraud intent while routing replies to a free email provider despite originating from a corporate-looking sender domain. Senders observed span spoofed government and business addresses as well as free webmail accounts, with subject lines using romantic or personal connection lures.

Sublime rule (View on GitHub)

 1name: "Attachment: Romance scam with image lure and advance-fee or suspicious link indicators"
 2description: "Detects inbound messages that are not replies, forwards, or mailing list communications, and contain image attachments (JPG or PNG) alongside body text classified as romantic or sexually explicit in nature. The messages either include links to known redirector or free hosting domains (such as geno.link or sites.google.com), or exhibit advance-fee fraud intent while routing replies to a free email provider despite originating from a corporate-looking sender domain. Senders observed span spoofed government and business addresses as well as free webmail accounts, with subject lines using romantic or personal connection lures."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and not subject.is_reply
 8  and not subject.is_forward
 9  and not any(headers.hops,
10              any(.fields,
11                  strings.ilike(.name, "List-Id")
12                  or strings.ilike(.name, "List-Unsubscribe")
13              )
14  )
15  and any(attachments, .file_type in ("jpg", "png"))
16  and any(ml.nlu_classifier(body.current_thread.text).topics,
17          .name in ("Romance", "Sexually Explicit Messages")
18          and .confidence != 'low'
19  )
20  and (
21    any(body.links, .href_url.domain.domain in ("geno.link", "sites.google.com"))
22    or (
23      any(headers.reply_to, .email.domain.root_domain in $free_email_providers)
24      and sender.email.domain.root_domain not in $free_email_providers
25      and any(ml.nlu_classifier(body.current_thread.text).intents,
26              .name == "advance_fee" and .confidence != 'low'
27      )
28    )
29  )  
30attack_types:
31  - "BEC/Fraud"
32  - "Spam"
33tactics_and_techniques:
34  - "Social engineering"
35  - "Image as content"
36  - "Free email provider"
37  - "Free file host"
38  - "Out of band pivot"
39detection_methods:
40  - "Natural Language Understanding"
41  - "Header analysis"
42  - "Sender analysis"
43  - "Content analysis"
44  - "URL analysis"
45  - "File analysis"
46id: "e1ce7a70-7528-5b3e-ad61-0721757ae390"
to-top